Tuesday, March 27, 2012


Here’s a little story of fraud and imagination with a few important lessons regarding security…

This story starts in a roundabout way with a missing checkbook.  If you are one of those people who travel a lot, you realize how often you are looking for a missing item.  Several months ago on one of our many trips between our two houses, a checkbook was misplaced.  We looked at Mike’s house, tore apart his car and had my mom search her house all to no avail. 

To this day Mike is convinced that his Dodge Nitro ate the checkbook and it will eventually turn up, but he took precautions nonetheless.  He reduced the balance in this account to $400, and he moved recurring transactions to another checking account.  Several months went by, and there was no sign that anyone had the checkbook.

Last Thursday night while doing some online banking, Mike discovered that the balance in this checking account was now zero. He looked online for a copy of the check and instead found two PayPal transactions.  He then viewed his PayPal account and realized that his account initiated these purchases.

Being the helpful wife that I am, I asked if had forgotten about some purchase he had made recently using PayPal.  When he located the payee on these transactions and went to their web site, he promptly informed me he had not purchased a prom dress!

Next began a whole weekend of phone calls to the bank to prohibit transactions on this checking account and to PayPal to report fraud.  Fortunately everyone assured him that the $400 would be refunded to his account.  Here’s where things really got kind of funky…

Thinking now that this was not about his missing checkbook but that someone hacked into his PayPal account, Mike wanted to change his password.  Talking with PayPal customer service early Friday morning, they said they would send him an email with information regarding these two transactions.  Mike checked throughout the day on Friday, and he didn’t receive their email.  Being slightly paranoid, he continued to check out things on his computer.  I told him it was just like CSI except he wasn’t using Q-tips!

His next comment was “you won’t believe this, but I found the email from PayPal in my sent box”.  He also found several other emails that he had not sent.  He called Yahoo to discuss a possible mail problem.   During their trouble shooting, they asked him to check mail filters.  Much to his surprise, Mike found 3 filters directing incoming email from PayPal, EBay, and the prom dress store to be put into his sent mail folder instead of inbox.    He suddenly realized that someone had hacked his email to hide these fraudulent transactions!

The plot thickened as he read the emails in his sent box… The prom dress store sent an email to Mike asking about the shipping address being different than the billing address.  They asked for some documentation proving the identity of Mike as the purchaser.  The ‘perp’, posing as Mike and using his email, sent the prom dress store a copy of ‘Mike’s Verizon bill’.  This bill, which we had never seen before, had Mike’s postal address pasted in, and it included a phone number that was not Mike’s cell phone number.

So now the real paranoia sets in.  Someone has hacked your PayPal account, made purchases from a store in China and hacked into your email to cover up the transactions.  Mike proceeded to spend many hours changing passwords on every account possible, deleting email filters, providing documentation to PayPal and doing more investigation. 

Here’s what he found through a whole series of web searches. 
The prom dress store was located in China. The emails sent from his account included a name and phone number.  The phone number had a Santa Barbara prefix.
The name signed on the email was the same as a past president of Vietnam, and judging from the number of people with this name, it was a popular name. Surely all this information was bogus, but coincidentally, we had just vacationed in Santa Barbara…

So, there is our tale of attempted fraud.  Our imaginations went crazy these past few days.  Why buy prom dresses from China?  Or was this really a money laundering company?  What is the China connection anyway?  Was it a person or a ‘bot’ that hacked into Mike’s accounts?  Why put emails into the sent box instead of deleting them?  Why include a name and phone number on the email sent under Mike’s name?  Was this a mistake or by design?  Did the use of Mike’s iPad in Santa Barbara have anything to do with this?  Is there anything else we should be worried about?

Ok, finally the lessons learned from all of this:

1.     Don’t use your email password on any other account as email may not be secure with mobile devices. Turns out Mike had the same password for email and PayPal.  Oops!
2.     Change passwords frequently and make them difficult, especially if the user name is your email address. 
3.     Check your online bank and credit card transactions frequently to insure they are legit.
4.     If you find something suspicious, report it to your financial institution ASAP which gives you better chance of a refund.
5.     Review whether email filters are in place.
6.     Review your sent emails to make sure you sent them.
7.     Be slightly paranoid about your computer and file security.
8.     Don’t be afraid to indulge in a little international intrigue…


No comments:

Post a Comment